Protection from unfamiliar login locations

ABSTRACT

In one embodiment, a user authentication server may use geo-location tracking to determine whether to present an enhanced identity challenge. A communication interface  180  may receive a user login attempt by a user and a current location of the user login attempt. A data storage  150  may store a user location profile of the user. A processor  120  may execute a comparison of the current location to the user location profile. The communication interface  180  may present the user with an enhanced identity challenge before allowing user access based on the comparison.

PRIORITY INFORMATION

This application claims priority from U.S. Provisional PatentApplication Ser. No. 61/491,129, filed May 27, 2011, and the U.S. patentapplication Ser. No. 13/176,762, filed Jul. 6, 2011, the contents ofwhich are incorporated herein by reference in its entirety.

BACKGROUND

A service, such as an e-mail account, banking service, social network,or remote work computer access, may contain sensitive data that a userdoes not want disseminated to the general public. Thus, a service mayuse password protection to restrict access to only authorized users whocan authenticate a right of access to a user session. A login interfacemay query the user for a password having a series of characters, such asletters, numbers, and signs. An authentication service may deny accessto the user if the characters are in an improper order, if the lettersare in the wrong case, or if the password fails to match the storedpassword in any way.

The authentication service may give the user a set number of tries atproviding the password before that user is blocked from further attemptsto access the computing device or service. The user may then contact anadministrator to access the service, after providing some proof ofidentification. Such proof of identification may be a governmentidentification or a pre-registered set of questions that presumably onlythe user can answer. Alternately, if the user fails to provide theproper password, a computing device or service may erase data.

A malicious actor may seek to hijack a user's account by co-opting theuser's password. Once the malicious actor has taken control of theaccount, that malicious actor may change the password, steal user data,harass the user's contacts, perform criminal acts, spy on the user'sactions, or take control of the user's account.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that is further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

Embodiments discussed below relate to a user authentication server usinglocation tracking to determine whether to present an enhanced identitychallenge. In one embodiment, a communication interface may receive auser login attempt by a user and a current location of the user loginattempt. A data storage may store a user location profile of the user. Aprocessor may execute a comparison of the location to the user locationprofile. The communication interface may present the user with anenhanced identity challenge before allowing user access based on thecomparison.

DRAWINGS

In order to describe the manner in which the above-recited and otheradvantages and features can be obtained, a more particular descriptionis set forth and will be rendered by reference to specific embodimentsthereof which are illustrated in the appended drawings. Understandingthat these drawings depict only typical embodiments and are nottherefore to be considered to be limiting of its scope, implementationswill be described and explained with additional specificity and detailthrough the use of the accompanying drawings.

FIG. 1 illustrates a block diagram of an exemplary computing device.

FIGS. 2a-c illustrate, in block diagrams, embodiments of locationdivisions.

FIG. 3 illustrates, in a block diagram, one embodiment of a userlocation profile record.

FIG. 4 illustrates, in a block diagram, one embodiment of an enhancedidentity challenge record.

FIG. 5 illustrates, in a flowchart, one embodiment of a method forcreating a user location profile.

FIG. 6 illustrates, in a flowchart, one embodiment of a method fordetermining whether to present an enhanced identity challenge.

FIG. 7 illustrates, in a flowchart, one embodiment of a method forexecuting a comparison with a user location profile.

FIG. 8 illustrates, in a flowchart, one embodiment of a method forremediating a compromised account.

DETAILED DESCRIPTION

Embodiments are discussed in detail below. While specificimplementations are discussed, it should be understood that this is donefor illustration purposes only. A person skilled in the relevant artwill recognize that other components and configurations may be usedwithout parting from the spirit and scope of the subject matter of thisdisclosure. The implementations may be a machine-implemented method, atangible machine-readable medium having a set of instructions detailinga method stored thereon for at least one processor, or a userauthentication server.

A user service may use a user authentication server to determine whethera user is authorized to access the user service. The user authenticationserver may use a user identifier and password to authorize the usersession. A user login attempt refers to the presentation by the user ofthe user identifier and password. Additionally, the user authenticationserver may factor in the location of the device making the login attemptto determine whether the increased security of an enhanced identitychallenge outweighs the increased hassle to the user. The location maybe a geographic location, or “geo-location”, or may be a virtuallocation in the network. The user authentication server may derive thegeo-location of the login attempt from the internet protocol (IP)address.

An enhanced identity challenge is a question that the user theoreticallycan answer, but no one else. The enhanced identity challenge may be alow difficulty identity challenge or a high difficulty identitychallenge. A low difficulty identity challenge is a question regardingpersonal information that may be gleaned from other records. Forexample, a low difficulty identity challenge may be “What is your age?”A high difficulty identity challenge may be a question regardingpersonal information that the user knows, but is not present in otherrecords. For example, a high difficulty identity challenge may be “Whowas your first love?” Alternatively, the high difficulty identitychallenge may send the user a short messaging system (SMS) code or emailto an account address associated with the user account.

The user authentication server may be operated in an observation mode tocollect a login geo-location history to create a user location profile.While in observation mode, the user authentication server may collectthe geo-location of the user login attempts while not making anycomparisons to the user location profile to determine if an enhancedidentity challenge may be made.

The user authentication server may determine one or more home region forthe user. The home region is an area centered on the home location of auser. The home region may be entered directly by the user or divinedfrom login geo-location history, such as a geographic area with frequentuser login attempts or a location with a previously solved geo-locationchallenge. The user authentication server may adjust size of the homeregion based on user activity, a system configuration, or other systemproperties.

A familiar location is a location for a verified user login attempt. Theuser login attempt may be verified through the use of the enhancedidentity challenge. The user authentication server may decertify afamiliar location if that familiar location has not been used for a userlogin attempt for a set period of time, referred to as an aging period.

The user authentication server may activate observation mode for a userupon first registration for the user service, or at later date if alocal kill switch is activated. The local kill switch disables acomparison between the current geo-location and the user locationprofile. The user authentication server may still collect the loginlocation history while the local kill switch is activated. The userauthentication server may also have a global kill switch that disablesall collection of the geo-location data for any user. The user mayactivate a user kill switch which may either disable the comparisonbetween the current geo-location and the user profile, or disable allcollection of the geo-location data for that user. The user may activatethe user kill switch if the user is making a one-time trip to anunfamiliar location and does not want that location added to the userlocation profile.

Thus, in one embodiment, a user authentication server may usegeo-location tracking to determine whether to present an enhancedidentity challenge. A user authentication server may have acommunication interface to receive a user login attempt by a user and acurrent geo-location of the user login attempt. A user authenticationserver may have a data storage to store a user location profile of theuser. A user authentication server may have a processor to execute acomparison of the geo-location to the user location profile. Thecommunication interface may present the user with an enhanced identitychallenge before allowing user access based on the comparison.

FIG. 1 illustrates a block diagram of an exemplary computing device 100which may act as a user authentication server. The computing device 100may combine one or more of hardware, software, firmware, andsystem-on-a-chip technology to implement user authentication. Thecomputing device 100 may include a bus 110, a processor 120, a memory130, a read only memory (ROM) 140, a storage device 150, an input device160, an output device 170, and a communication interface 180. The bus110 may permit communication among the components of the computingdevice 100.

The processor 120 may include at least one conventional processor ormicroprocessor that interprets and executes a set of instructions. Thememory 130 may be a random access memory (RAM) or another type ofdynamic storage device that stores information and instructions forexecution by the processor 120. The memory 130 may also store temporaryvariables or other intermediate information used during execution ofinstructions by the processor 120. The ROM 140 may include aconventional ROM device or another type of static storage device thatstores static information and instructions for the processor 120. Thestorage device 150 may include any type of tangible machine-readablemedium, such as, for example, magnetic or optical recording media andits corresponding drive. The storage device 150 may store a set ofinstructions detailing a method that when executed by one or moreprocessors cause the one or more processors to perform the method. Thestorage device 150 may also be a database or a database interface forstoring user location profiles and user authentication data.

The input device 160 may include one or more conventional mechanismsthat permit a user to input information to the computing device 100,such as a keyboard, a mouse, a voice recognition device, a microphone, aheadset, etc. The output device 170 may include one or more conventionalmechanisms that output information to the user, including a display, aprinter, one or more speakers, a headset, or a medium, such as a memory,or a magnetic or optical disk and a corresponding disk drive. Thecommunication interface 180 may include any transceiver-like mechanismthat enables processing device 100 to communicate with other devices ornetworks. The communication interface 180 may include a networkinterface or a mobile transceiver interface. The communication interface180 may be a wireless, wired, or optical interface.

The computing device 100 may perform such functions in response toprocessor 120 executing sequences of instructions contained in acomputer-readable medium, such as, for example, the memory 130, amagnetic disk, or an optical disk. Such instructions may be read intothe memory 130 from another computer-readable medium, such as thestorage device 150, or from a separate device via the communicationinterface 180.

The user authentication server may store a variety of locations visitedby a user as a user location profile. The user authentication server mayidentify a location by different designations. FIGS. 2a-c illustratedifferent locations with different designations. The designations maydetermine the level of security for a user authentication. A geographiclocation may be designated a home region 202, a familiar location 204,or a fraud hotspot 206. A home region 202 is a general geographic areaaround the primary residence of a user. The home region 202 may have asize that varies based on how far a user tends to roam from the primaryresidence. The home region 202 may have the lowest level of security. Afamiliar location (FL) 204 is the geographic area of an access pointfrom which a user has accessed the user service and provided identityconfirmation. The user may confirm his or her identity by responding toan enhanced identity challenge. The familiar location 204 may have afairly low security. An undesignated location may have a medium level ofsecurity. A fraud hotspot (FHS) 206 is a geographic location with areputation of containing identity thieves or other malicious actors. Theuser authentication server may receive updates of fraud hotspots 206from a news or government server. The fraud hotspot 206 may have a highlevel of security.

For example, FIG. 2a shows a map of a portion of the Northern Hemisphere200. A user may be based in Seattle, Wash. The user may then beassociated with a home region 202 centered around Seattle, Wash. A loginattempt by a user from that home region 202 may use just a passwordrequest. The user may travel frequently to Dallas, Tex.; New York, N.Y.;London, England; and Cairo, Egypt. The user may have made frequent loginattempts from each of these locations, confirming the identity of theuser at each location. The user authentication server may associate eachof these locations with the user as a familiar location 204. A loginattempt by a user from that familiar location 204 may use a passwordrequest, with a low difficulty enhanced identity challenge every otherlogin attempt. An illicit login attempt of numerous user accounts mayhave been tried by a malicious actor in Abuja, Nigeria, earning a fraudhotspot 206 designation. A login attempt by a user from that fraudhotspot 206 may use a password request and a high difficulty enhancedidentity challenge.

In a further example, FIG. 2b shows a map of the United States 220. Auser may then be associated with a home region 202 centered around CedarRapids, Iowa. The user may travel frequently to El Paso, Tex. andJaurez, Mexico. The user may have made frequent login attempts from eachof these locations, designating each a familiar location 204. A familiarlocation 204 in a home country 222 may have a lower level of securitythan a familiar location 204 outside the home country 222. A loginattempt by a user from the familiar location 204 outside the homecountry 222 may use a password request, with a low difficulty enhancedidentity challenge, every login attempt.

In another example, FIG. 2c shows a map of the United States-Mexicoborder 220. A user may then be associated with a home region 202centered around San Diego, Calif. The user may cross the borderfrequently to Tijuana, Mexico, earning a designation as a familiarlocation 204, or even be considered part of the home region 202. Eventhough the familiar location 204 is outside home country 222, thefamiliar location 204 may have a lower level of security as the familiarlocation 204 is in close proximity to the home region 202.

The user authentication server may store the user location profile as auser location profile record. FIG. 3 illustrates, in a block diagram,one embodiment of a user location profile record 300. The user locationprofile record 300 may have a user identifier (ID) field 302 that storesa user identifier indicating the user. The user location profile record300 may have a location field 304 indicating a location for a user loginattempt. The location field 304 may indicate the location in latitudeand longitude on the degree, minute, or second level. The location field304 may also indicate the country of the location. The location field304 may track a previous location of the user, or a familiar locationentered by the user. The user location profile record 300 may have arange field 306 indicating a given range surrounding the location. Anyfurther login attempts that are within that range may be covered by thesame user location profile record 300. The user location profile record300 may have time field 308 indicating the last time that a userattempted to login from that location. The last login time may be usedto calculate a traveling distance. Traveling distance is calculated byconsidering how far a user may reasonably travel from the immediatelyprevious location since the last login time. The user location profilerecord 300 may have a frequency (FREQ) field 310 that tracks the numberof login attempts at the login location. The frequency field 310 mayindicate a total number of login attempts at that login location or anaverage number of login attempts over a set time period. The userlocation profile record 300 may have a status field 312 that indicatesif the location is a home region 202, a familiar location 204, or afraud hotspot 206. The status field 312 may be assigned by a user or anadministrator, or may be determined using the frequency of loginattempts.

Based on a comparison of a user login attempt with the user locationprofile, a password request may be followed up with an enhanced identitychallenge. FIG. 4 illustrates, in a block diagram, one embodiment of anenhanced identity challenge record. The enhanced identity challengerecord 400 may have a user identifier field 402 that stores a useridentifier indicating the user. The enhanced identity challenge record400 may have a password field 404 indicating the password associatedwith that user identifier. The enhanced identity challenge record 400may have a challenge field 406 indicating the enhanced identitychallenge. The enhanced identity challenge may be one of a default setof questions or a question submitted by the user. The enhanced identitychallenge record 400 may have a response field 408 indicating the properanswer to the enhanced identity challenge. The enhanced identitychallenge record 400 may have a difficulty field 410 that indicates ifthe enhanced identity challenge is a high difficulty identity challengeor a low difficulty identity challenge.

FIG. 5 illustrates, in a flowchart, one embodiment of a method 500 forcreating a user location profile. A user authentication server maycollect a set of login data upon creation of the account, such as a useridentifier and a password (Block 502). The user authentication servermay collect a low difficulty identity challenge and a high difficultyidentity challenge (Block 504). The user authentication server maycollect a low difficulty identity challenge response and a highdifficulty identity challenge response (Block 506). If a local killswitch has been activated (Block 508), the ability of the userauthentication server to execute a comparison of a current geo-locationwith a user location profile is disabled. The user authentication servermay activate observation mode (Block 510). In observation mode, the userauthentication server records the geo-location of the user loginattempts to create a user location profile but does not compare thatgeo-location with the user location profile. The user authenticationserver may collect a login location history for the user (Block 512).The user authentication server may create a user location profileassociated with a user account based on the login location history(Block 514). The user authentication server may determine a home regionfor the user based on the login location history (Block 516). The userauthentication server may size the home region based on user activity(Block 518). The user authentication server may designate a geographiclocation as a familiar location based on the login location history(Block 520). If the user authentication server has stored a thresholdnumber of familiar locations, referred to as a location threshold, orhas been in observation mode for a set amount of time, referred to as alearning period threshold (Block 522), then the user authenticationserver may exit observation mode (Block 524).

FIG. 6 illustrates, in a flowchart, one embodiment of a method 600 fordetermining whether to present an enhanced identity challenge. The userauthentication server may receive from the user a user login attempt toa user service (Block 602). A user login attempt occurs when the userenters a password matching the password on file for that user. A userlogin attempt does not necessarily mean a completed login attempt inthis circumstance. If a global kill switch has been activated (Block604), the ability of the user authentication server to recognize thecurrent geo-location is disabled. If a user kill switch has beenactivated (Block 606), the ability of the user authentication server torecognize the current geo-location is disabled.

The user authentication server may recognize a current geo-location of auser login attempt (Block 608). The user authentication server mayexecute a comparison of the current geo-location to a user locationprofile associated with a user account (Block 610). If the unfamiliarlogin location counter exceeds an unfamiliar login location threshold(Block 612), the user authentication server may present the user with anenhanced identity challenge (Block 614). The unfamiliar login locationcounter is a counter used to identify a series of user login attemptsfrom unfamiliar login locations. Login attempts from multiple locationsmay often be used by malicious actors to mask their trail.

If the comparison indicates that an enhanced identity challenge is notdesirable (Block 616), the user authentication server may decertify anyfamiliar location with an expired aging period (Block 618). The agingperiod is the time since the last access by the user to a familiarlocation. If the user does not access the familiar location within athreshold time period, the aging period expires. The user authenticationserver may allow access to the user session (Block 620).

If the comparison indicates that an enhanced identity challenge isdesirable (Block 616), the user authentication server may present theuser with an enhanced identity challenge before allowing user accessbased on the comparison (Block 614). If the user does not successfullyrespond to the enhanced identity challenge (Block 622), the userauthentication server may mark the account as a compromised account upona failed response to the enhanced identity challenge (Block 624). Theuser authentication server may freeze the account, preventing futureaccess to the account, even if the access has the correct useridentifier and password (Block 626). The user authentication server mayclear a familiar location list of the compromised account (Block 628).The familiar location list describes the familiar locations associatedwith the user account.

If the user successfully responds to the enhanced identity challenge(Block 622), the user authentication server may designate the currentgeo-location as a familiar location (Block 630). The user authenticationserver may resize the home region based on user activity (Block 632).The user authentication server may decrement or reset the unfamiliarlogin location counter based on familiarization process (Block 634). Theuser authentication server may decertify any familiar location with anexpired aging period (Block 618). The user authentication server mayallow access to the user session (Block 620).

FIG. 7 illustrates, in a flowchart, one embodiment of a method 700 forexecuting a comparison with a user location profile. If the currentgeo-location is a familiar location that the user has been present infor a familiarity period (Block 702), the user authentication server maydecrement or reset the unfamiliar login location counter based onfamiliarization process (Block 704). Thus the possibility of an enhancedidentity challenge decreases after a period of user login attempts froma familiar location. The user authentication server may forgo anenhanced identity challenge (Block 706). If the user login attempt isfrom a trusted device (Block 708), the user authentication server mayfactor that in to a determination to forgo the enhanced identitychallenge (Block 706). A trusted device is a device previouslyassociated with a user. A trusted device may be identified by a logincookie or other identifying piece of code stored on a user device.

If the current geo-location is not a familiar location (Block 702) andthe user login attempt is not from a trusted device (Block 708), theuser authentication server may increment an unfamiliar login locationcounter (Block 710). If the current geo-location is a fraud hotspot(Block 712), the user authentication server may select a high challengelevel for the enhanced identity challenge to be sent to the user (Block714). The user authentication server may send a SMS code or an automatedtelephone call to a mobile telephone or landline number associated withthe user account (Block 716). Additionally, the user authenticationserver may track whether the landline number is located near the currentgeo-location. The user authentication server may track in the userlocation profile an immediately previous location of a user (Block 718).If the user authentication server determines that the immediatelyprevious location is not within traveling distance of the currentgeo-location (Block 720), the user authentication server may select ahigh challenge level for the enhanced identity challenge to be sent tothe user (Block 714). If the user authentication server determines thatthe immediately previous location is within traveling distance of thecurrent geo-location (Block 720), the user authentication server mayselect a low challenge level for the enhanced identity challenge to besent to the user (Block 722).

A user authentication server may have a user attempting to access acompromised account perform some extra actions in order to safelyidentify the user. Additionally, a user may have lost or forgotten apassword. The user authentication server may reset the password afterpresenting a high difficulty identity challenge.

FIG. 8 illustrates, in a flowchart, one embodiment of a method 800 forremediating a compromised account or forgotten password. The userauthentication server may receive from the user a remediation attemptfor the user account (Block 802). The user authentication server mayrecognize a current geo-location of a user login attempt (Block 804).The user authentication server may present the user with a highdifficulty identity challenge (Block 806).

If the user does not successfully respond to the enhanced identitychallenge (Block 808), the user authentication server may deny access tothe user session (Block 810). If the user does successfully respond tothe enhanced identity challenge (Block 808), the user authenticationserver may remove the compromised marking from the compromised account(Block 812). The user authentication server may unfreeze the useraccount (Block 814). The user authentication server may decrement orreset the unfamiliar login location counter upon successful response tothe enhanced identity challenge (Block 816). The user authenticationserver may reset the password to a new password received from the user(Block 818). The user authentication server may allow access to the usersession (Block 820).

Although the subject matter has been described in language specific tostructural features and/or methodological acts, it is to be understoodthat the subject matter in the appended claims is not necessarilylimited to the specific features or acts described above. Rather, thespecific features and acts described above are disclosed as exampleforms for implementing the claims.

Embodiments within the scope of the present invention may also includenon-transitory computer-readable storage media for carrying or havingcomputer-executable instructions or data structures stored thereon. Suchnon-transitory computer-readable storage media may be any availablemedia that can be accessed by a general purpose or special purposecomputer. By way of example, and not limitation, such non-transitorycomputer-readable storage media can comprise RAM, ROM, EEPROM, CD-ROM orother optical disk storage, magnetic disk storage or other magneticstorage devices, or any other medium which can be used to carry or storedesired program code means in the form of computer-executableinstructions or data structures. Combinations of the above should alsobe included within the scope of the non-transitory computer-readablestorage media.

Embodiments may also be practiced in distributed computing environmentswhere tasks are performed by local and remote processing devices thatare linked (either by hardwired links, wireless links, or by acombination thereof) through a communications network.

Computer-executable instructions include, for example, instructions anddata which cause a general purpose computer, special purpose computer,or special purpose processing device to perform a certain function orgroup of functions. Computer-executable instructions also includeprogram modules that are executed by computers in stand-alone or networkenvironments. Generally, program modules include routines, programs,objects, components, and data structures, etc. that perform particulartasks or implement particular abstract data types. Computer-executableinstructions, associated data structures, and program modules representexamples of the program code means for executing steps of the methodsdisclosed herein. The particular sequence of such executableinstructions or associated data structures represents examples ofcorresponding acts for implementing the functions described in suchsteps.

Although the above description may contain specific details, they shouldnot be construed as limiting the claims in any way. Other configurationsof the described embodiments are part of the scope of the disclosure.For example, the principles of the disclosure may be applied to eachindividual user where each user may individually deploy such a system.This enables each user to utilize the benefits of the disclosure even ifany one of a large number of possible applications do not use thefunctionality described herein. Multiple instances of electronic deviceseach may process the content in various possible ways. Implementationsare not necessarily in one system used by all end users. Accordingly,the appended claims and their legal equivalents should only define theinvention, rather than any specific examples given.

We claim:
 1. A user authentication server, comprising: a communicationinterface configured to receive a user login attempt by a user and acurrent geo-location of the user login attempt; a data storageconfigured to store a user location profile of the user identifying afamiliar location based on a login location history describing alocation for a verified user login attempt within an aging period,wherein the familiar location is decertified from the user locationprofile upon an expiration of the aging period; and a processor deviceconfigured to execute a comparison of the current geo-location of theuser login attempt to the familiar location of the user locationprofile, presenting the enhanced identity challenge for answering by theuser before allowing user access when the current geo-location isoutside the familiar location, and otherwise not sending the enhancedidentity challenge within the familiar location.
 2. The userauthentication server of claim 1, wherein the data storage is configuredto store the current geo-location as a familiar location upon successfulresponse to the enhanced identity challenge.
 3. The user authenticationserver of claim 1, wherein the data storage is configured to track inthe user location profile a previous location of the user.
 4. The userauthentication server of claim 1, wherein the processor is configured todetermining whether an immediately previous location is within travelingdistance of the current geo-location and to select a challenge level forthe enhanced identity challenge based on whether the currentgeo-location is within traveling distance.
 5. The user authenticationserver of claim 1, wherein the communication interface is configured tosend the user a high difficulty identity challenge as an enhancedidentity challenge if the current geo-location is not within travelingdistance.
 6. The user authentication server of claim 1, wherein thecommunication interface is configured to send a short messaging systemcode to a mobile telephone associated with the user.
 7. The userauthentication server of claim 1, wherein the data storage is configuredto mark a user account as a compromised account upon a failed responseto the enhanced identity challenge.
 8. The user authentication server ofclaim 1, wherein the communication interface is configured to collect alow difficulty identity challenge response and a high difficultyidentity challenge response.
 9. The user authentication server of claim1, wherein the processor is configured to determine a home region basedon the login location history.
 10. The user authentication server ofclaim 1, wherein the processor is configured to resize the home regionbased on at least one of user activity and system configuration.
 11. Theuser authentication server of claim 1, wherein the processor isconfigured to present the user with the enhanced identity challenge whenan unfamiliar login location counter exceeds an unfamiliar loginlocation threshold.
 12. The user authentication server of claim 1,further comprising: an unfamiliar login location counter configured todecrement upon successful response to the enhanced identity challenge.13. A computing device being configured to: store in a memory a userlocation profile of a user identifying a familiar location based on alogin location history describing a location for a verified user loginattempt within an aging period, wherein the familiar location isdecertified from the user location profile upon an expiration of theaging period, recognize a current geo-location of a user login attemptto a user service, execute a comparison of the current geo-location tothe familiar location of the user location profile, present a user withan enhanced identity challenge for answering by the user before allowinguser access when the current Cleo-location is outside the familiarlocation, and otherwise not present the enhanced identity challengewithin the familiar location.
 14. The computing device of claim 13,wherein the computing device is further configured to mark a useraccount as a compromised account upon a failed response to the enhancedidentity challenge.
 15. The computing device of claim 13, wherein thecomputing device is further configured to clear a familiar location listof a compromised account.
 16. The computing device of claim 13, whereinthe computing device is further configured to factor whether the userlogin attempt is from a trusted device into a determination to presentthe enhanced identity challenge.
 17. The computing device of claim 13,wherein the computing device is further configured to select a challengelevel for the enhanced identity challenge based on whether the currentgeo-location is a fraud hotspot.
 18. A machine-implemented method forauthenticating a user session, comprising: storing in a memory a userlocation profile of a user identifying a familiar location describing alocation for a verified user login attempt within an aging period,wherein the familiar location is decertified from the user locationprofile upon an expiration of the aging period; recognizing a currentgeo-location of a user login attempt to a user service over acommunication interface; using at least one hardware processor toimplement: executing a comparison of the current geo-location to thefamiliar location of the user location profile; presenting a user withan enhanced identity challenge for answering by the user before allowinguser access when the current geo-location is outside the familiarlocation; and otherwise not presenting the enhanced identity challengewithin the familiar location.
 19. The method of claim 18, furthercomprising: marking a user account as a compromised account upon afailed response to the enhanced identity challenge.
 20. Amachine-implemented method for authenticating a user session,comprising: creating a user location profile associated with a useraccount indicating a familiar location based on a login locationhistory, wherein the familiar location is decertified from the userlocation profile upon an expiration of an aging period; executing acomparison of a current geo-location of a user login attempt to thefamiliar location of the user location profile; presenting a user withan enhanced identity challenge for answering by the user before allowinguser access when the current geo-location is outside the familiarlocation; otherwise not sending the enhanced identity challenge withinthe familiar location; and updating the user location profile todesignate the current geo-location as a new familiar location after asuccessful login attempt.
 21. The method of claim 20, furthercomprising: marking a user account as a compromised account upon afailed response to the identity challenge.
 22. The method of claim 20,further comprising: clearing a familiar location list of the compromisedaccount.
 23. The method of claim 20, further comprising: factoringwhether the user login attempt is from a trusted device into adetermination of the challenge level for the enhanced identitychallenge.
 24. The method of claim 20, further comprising: selecting thechallenge level for the enhanced identity challenge based on whether thecurrent geo-location is a fraud hotspot.